Answers to the questions packagers, distros, and security-conscious users are expected to ask under the CISA Secure by Demand Guide (Aug 2024). Five subject areas, in CISA's order. Updated each release.
Q: What authentication does Springtale use for its own surfaces?
The vault uses an Argon2id-derived key from the user's passphrase. Shipped
parameters: 64 MiB memory, t=3, p=4 — well above the OWASP baseline of
19 MiB / t=2 / p=1. There is no remote
authentication — Springtale runs on the user's own machine and binds its
management API to 127.0.0.1 by default with HMAC-SHA256 bearer tokens.
Q: Phishing-resistant MFA?
For the maintainer GitHub / crates.io / PyPI / npm publishing accounts: FIDO2 (WebAuthn / passkeys) is required at org level. No SMS.
For end users: hardware-FIDO2 is on the roadmap as a second factor for vault unlock. Not yet shipped.
Q: Default passwords?
None. Vault has no default passphrase; user sets one in onboarding. API tokens are generated per-install. There is no admin-shell account.
Q: Memory safety?
100% Rust. SolidJS frontend in WebKit (memory-safe JS). Python via pyo3 is
not a sandbox and is only used for the cooperation API. Full inventory in
docs/security/MEMORY-SAFETY.md.
Q: SQL injection?
All database access flows through springtale-store. Queries use
rusqlite::params! or sqlx::query_as! (compile-time verified). A CI lint
fails on any format!("SELECT|INSERT|UPDATE-style query string outside test
code.
Q: XSS?
SolidJS auto-escapes. innerHTML and dangerouslySetInnerHTML are CI-banned.
Tauri webview runs a nonce-based strict CSP with require-trusted-types-for 'script'.
Q: OS command injection?
std::process::Command requires explicit argv arrays. bash -c and
shell-string construction are CI-banned. Connector shell capability requires
explicit allow-listed binary paths and triggers blocking user approval.
Q: Path traversal?
Filesystem connector canonicalizes every path against an explicit base scope declared in the connector manifest. Refusal on traversal.
Q: TLS?
rustls exclusively. native-tls, openssl-sys, and openssl are banned
at the workspace level (deny.toml + [patch] stub). TLS 1.3 only. PQ
hybrid X25519+ML-KEM-768 KEX rolling out 2026 Q4.
Q: Secret handling?
Secret<T> from secrecy wraps every credential. zeroize on drop.
expose_secret() requires // SECURITY: annotation enforced by clippy
custom-disallowed-method lint.
Q: Logging?
tracing writes structured JSON logs to local files. Audit events
(authentication, vault unlock, connector load, capability denials, panic
wipe, manifest verify failures) go into an append-only SQLite table with row
hash chaining in springtale-sentinel.
Q: Telemetry?
Zero. Forever. There is no path to add telemetry. Anyone proposing a PR for
it is told to read CONTRIBUTING.md §"What we won't merge."
Q: Export of local logs?
User-triggered export. No automatic upload anywhere.
Q: Tamper evidence?
Audit log row hash chain; vault file integrity tag (AEAD).
Q: SBOM?
CycloneDX 1.7 (primary) + SPDX 2.3 (secondary) per release. Generated by the
sbom.yml workflow. Components include Rust, npm, Python, and CBOM
(cryptographic algorithms) + ML-BOM (configured AI adapters). Signed with
Sigstore cosign.
Q: SLSA?
Targeting SLSA Build Level 3 via slsa-framework/slsa-github-generator on
GitHub-hosted runners.
Q: Signed releases?
Yes. Sigstore cosign keyless (GitHub OIDC). .cosign.bundle published next
to every release artifact. Recipe in docs/operations/verifying-releases.md.
Q: Pinned dependencies?
Cargo.lock, pnpm-lock.yaml, uv.lock committed. cargo --locked and
pnpm install --frozen-lockfile in CI. GitHub Actions SHA-pinned (see
docs/security/CI-TRUST.md).
Q: Provenance for third-party deps?
cargo vet audit graph in supply-chain/audits.toml, imports from
Mozilla/Google/Bytecode Alliance audits. deny.toml policy gates licenses,
sources, advisories, bans.
Q: Connector sandbox?
Community connectors run in Wasmtime: 10M instructions, 64MB memory, 30s wall-clock. Manifest Ed25519-signed; verified on every load. Capability allow-list with exact host matching for network egress.
Q: Dependency confusion / typosquatting?
.npmrc registry-pinned to registry.npmjs.org/. ignore-scripts=true blocks
post-install scripts (CISA Shai-Hulud mitigation). Scoped names (@springtale/)
for first-party packages. cargo deny check bans denies new top-level deps
without sign-off.
Q: How do I report a vuln?
GitHub Security Advisories (preferred) or email k1104jackson@hotmail.com.
Full policy: SECURITY.md. Also published as RFC 9116 security.txt at
/.well-known/security.txt.
Q: SLA?
72h acknowledgement, 7d triage, 30d fix on private branch, public disclosure window negotiated. ≤24h ack and ≤14d fix for user-safety class bugs (identity leak, duress detectability, panic wipe defeat, telemetry).
Q: Safe harbor?
We will not pursue legal action against good-faith security research.
Q: CVE issuance?
GitHub Advisories CNA proxy is the path today. The maintainer files a
GitHub Security Advisory in this repo's Security tab and clicks "Request
CVE" to get an ID assigned under GitHub's CNA scope. The full step-by-step
flow + the trigger conditions and application process for Springtale
registering as a direct CVE Numbering Authority (once we hit
≥1 CVE / quarter sustained for 4 quarters with a 90-day disclosure track
record) are documented in
INCIDENT-RUNBOOK.md § On becoming a CNA.
Q: PGP?
Maintainer PGP key listed on the GitHub profile. Unencrypted reports also accepted.
This document is reviewed each release. Inconsistencies between this FAQ and
the running system should be filed as a security-doc-drift issue.